i am trying to validate the signing certificate presente in a signature.

I read the information in the support:

Quote

So the algorithm of complete validation of the certificate is

1. Call ElCustomCertStorage.Validate().
2. If Validate() method reports that the certificate is valid, use ElCustomCertStorage.GetIssuerCertificate to find issuer certificate.
3. If Issuer certificate was found, goto (1) (validate it).
4. If Issuer certificate was not found or certificate being validated is self-signed, check that the certificate is trusted (usually certificates located in CA and ROOT storages of WinCertStorage are trusted).
5. If certificate is not among trusted certificates, warn the user.
6. If certificate is not valid, warn the user.
7. Check that the certificate is not included into certificate revocation list (see below). If it is, warn the user.

Is the "cert" value is not null? In case if there are several X509Certificate under one X509Data, then you should check the CertStorage property.

Quote

storage.Add(cert,true);

Use a TElMemoryCertStorage, not a TElCustomCertStorage (this is an abstract class, should be marked so).
And try passing second parameter as false. The certificate loaded from xml data mustn't contain a private key.

Is the "cert" value is not null? In case if there are several X509Certificate under one X509Data, then you should check the CertStorage property.

cert is not null.
ok, i was only checking the only presence for testing purpose

Quote

Bogatskyy wrote:

Quote

storage.Add(cert,true);

Use a TElMemoryCertStorage, not a TElCustomCertStorage (this is an abstract class, should be marked so).
And try passing second parameter as false. The certificate loaded from xml data mustn't contain a private key.

For example, the cert is from "CA".
Then you change the system store to "ROOT", and try to validate it. But cert object became invalid because you changed a system store.
So, you will need to use several different TElWinCertStorage objects.

I don´t know what is the correct way to do certificate validation.
I take the certificates presents in the KeyInfo element, add them to MemoryCertStorage and start with the validation of the first, get the issuercertificate and validate them.... until dont exist a issuercertificate on memorycertstorage?
then i find that issuer on winCertStorage? starting on CA SystemStorage?

The simplest way is to create one storage that contain certificates from MY, CA and ROOT.
And then validate using that storage.
Because, theoretically, the certificate chain could be like this: CA->ROOT->CA->UserCertificate
Then, in the end you should get the self-signed certificate (check cert.SelfSigned property).
If the self-signed certificate in the ROOT system store (use winRoot.IndexOf(..) method) then it trusted, other way warn user.

as i understand what i had read, the keyInfo element could contain some of the certificates used, because verifier user may haven´t them.
signingcertificate information reference to certificate used to sign and that info should serve to find the certficate in memStorage.
right?

now my algorith is:
- Load Certificates from WinCertStorage to memStorage
- Get certificates from KeyInfo element, if they aren´t present in memStorage add them
- Get signingcertificate information
- Find certificate on memStorage
- If exists
- Validate from bottom to up
- when not exists issuercertificate verificate if is selfsigned and is trust (presence in CA or ROOT)

this is for verifying that Keyinfo certificates are or not in the memcertstorage already

in this space will be the code for find the certificate referenced by signingcertificate.
I can´t get the certificate because i tried it comparing the serial number (in a for cycle) but all the certificates created by CertDemo have 0 as serial number. Exists another method for doing this?

as i understand what i had read, the keyInfo element could contain some of the certificates used, because verifier user may haven´t them.
signingcertificate information reference to certificate used to sign and that info should serve to find the certficate in memStorage.
right?

SigningCertificate. This property contains an unambiguous reference to the signer's
certificate, formed by its identifier and the digest value of the certificate. Its usage is particularly
important when a signer holds a number of different certificates containing the same public key, to avoid
claims by a verifier that the signature implies another certificate with different semantics. This is also
important when the signer holds different certificates containing different public keys in order to provide
the verifier with the correct signature verification data. Finally, it is also important in case the issuing key
of the CA providing the certificate would be compromised.

Quote

now my algorith is

Seems, to be ok.

Quote

all the certificates created by CertDemo have 0 as serial number.

To generate certificate with a serial number using CertDemo:
In buttonGenerate_Click method, set CreatedCert.SerialNumber property.

if i only add serialnumber to criteria or set options for ExactMatch only, it returns a index. But when searching for serialnumber and CertHash it returns -1.
Searching only by serialnumber it´s not correct right? For examplo, 2 CA can give the same serialnumber for two certificates.

When validating the certificates from bottom to up, on the first call of memCertStorage.Validate(cert, ref reason, date) method, the date should be the signingTime present in Object element, right?
When validating an issuercertificate the date should be the "valid from" date of the child certificate??

We use cookies to help provide you with the best possible online experience. By using this site, you agree that we may store and access cookies on your device. You can find out more about and set your own preferences here.